The large breach allowed the Russian gang to cull some 1.2 billion usernames and passwords over an extended period of time. (Richard Newstead/Getty Images/Flickr RF)

A Russian gang of computer hackers has gathered a staggering cache of some 1.2 billion stolen usernames and passwords, exposing vulnerability in some 400,000 websites targeted, according to a report Tuesday.

The find by Hold Security, a Milwaukee-based firm, also included some 542 million email addresses culled by the crew of twentysomethings based in a small south central Russian city, the New York Times reported.

Advertisement

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," Alex Holden, the founder and chief information security officer of Hold Security, told The Times. "And most of these sites are still vulnerable."

The virtual criminals do not appear to be working for the Russian government, Holden told the paper, and the gang has not sold the information. Rather, they've been paid by third-party groups to use their powerful holding of online information to send spam on social media.

The Russian government rarely pursues hackers, meaning the gang can likely continue operating unimpeded, according to The Times.

The gang operates out of a small city in Russia and is said to be using the hacked information to send spam. (kizilkayaphotos/Getty Images)

"There is a division of labor within the gang," Holden told The Times. "Some are writing the programming, some are stealing the data. It's like you would imagine a small company; everyone is trying to make a living."

Holden said he is trying to contact all the violated websites, but "most of these sites are still vulnerable," he said. The hackers use botnets to determine a site's vulnerabilities, then clear out each site's database of any available information.

News of the massive breach comes as hundreds of hackers, online security and other tech companies gather in Las Vegas for the annual Black Hat conference, scheduled to run through Friday. The disclosure could shape future online security measures as breaches become larger, more invasive and more costly.

"Companies that rely on usernames and passwords have to develop a sense of urgency about changing this," Avivah Litan, a security analyst at research firm Gartner, told The Times. "Until they do, criminals will just keep stockpiling people's credentials."